cbcvebase.
CVE-2025-10897
published 2025-10-31

CVE-2025-10897: The WooCommerce Designer Pro theme for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.9.28. This makes it possible for…

PriorityP267high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
EXPLOIT
EPSS
1.84%
76.4th percentile
The WooCommerce Designer Pro theme for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.9.28. This makes it possible for unauthenticated attackers to read arbitrary files on the server, which can expose DB credentials when the wp-config.php file is read.

Affected

1 ranges
VendorProductVersion rangeFixed in
jma_pluginswoocommerce_designer_pro<= 1.9.28

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
commandaction=wcdp_convert_resource_cmyk&url=file:///etc/passwd
bytes
cm9vdDp4OjA6MDpy
  • Exploit is unauthenticated — monitor POST requests to /wp-admin/admin-ajax.php with the parameter action=wcdp_convert_resource_cmyk and a url= parameter containing file:// scheme URIs (e.g., file:///etc/passwd or file:///var/www/html/wp-config.php).
  • Successful exploitation returns a JSON response containing both 'success' and 'base64' keys; the base64-encoded file content (e.g., cm9vdDp4OjA6MDpy for /etc/passwd root line) can be used as a response body match.
  • Identify vulnerable WordPress installations by searching for the string 'wc-designer-pro' in HTTP response bodies (FOFA/Shodan fingerprint).
  • The vulnerability is in the WooCommerce Designer Pro theme versions up to and including 1.9.28; any site running this theme version is susceptible to unauthenticated arbitrary file read, including wp-config.php exposure.
  • ·The exploit requires no authentication (PR:N, UI:N), meaning any unauthenticated HTTP client can trigger the file read via the AJAX action endpoint.
  • ·The vulnerability is caused by improper input validation that allows the url= parameter to accept file:// scheme URIs, enabling local file inclusion/read of arbitrary server files.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.